The court found that Facebook collects and uses personal data without providing enough information to its members for them to render meaningful consent.
Photograph: Tobias Schwarz/AFP/Getty Images

Facebook’s default privacy settings and use of personal data are against German consumer law, according to a judgement handed down by a Berlin regional court.

The court found that Facebook collects and uses personal data without providing enough information to its members for them to render meaningful consent. The federation of German consumer organisations (VZBV), which brought the suit, argued that Facebook opted users in to features which it should not have.

Heiko Duenkel, litigation policy officer at the VZBV, said: “Facebook hides default settings that are not privacy friendly in its privacy centre and does not provide sufficient information about it when users register. This does not meet the requirement for informed consent.”

In a statement, VZBV elaborated on some of its issues: “In the Facebook app for smartphones, for example, a location service was pre-activated that reveals a user’s location to people they are chatting to.

“In the privacy settings, ticks were already placed in boxes that allowed search engines to link to the user’s timeline. This meant that anyone could quickly and easily find personal Facebook profiles.”

The Berlin court agreed with VZBV that the five default settings the group had complained about were invalid as declarations of consent. The German language judgment was handed down in mid-January, but only publicly revealed on Monday.

The court also ruled eight clauses in Facebook’s terms of service to be invalid, including terms that allow Facebook to transmit data to the US and use personal data for commercial purposes. The company’s “authentic name” policy – a revision of a rule that once required users to use their “real names” on the site, but which now allows them to use any names they are widely known by – was also ruled unlawful.

In a statement, Facebook said it would appeal, adding: “We are working hard to ensure that our guidelines are clear and easy to understand, and that the services offered by Facebook are in full accordance with the law.”

A week after the Berlin court ruled against Facebook, the social network promised to radically overhaul its privacy settings, saying the work would prepare it for the introduction in Europe of the General Data Protection Regulation (GDPR), a sweeping set of laws governing data use across the EU.

Sheryl Sandberg, Facebook’s chief operating officer, announced the changes, saying they would “put the core privacy settings for Facebook in one place and make it much easier for people to manage their data”.

Q&A

What is GDPR?

The European Union's new stronger, unified data protection laws, the General Data Protection Regulation (GDPR), will come into force on 25 May 2018, after more than six years in the making.

GDPR will replace the current patchwork of national data protection laws, give data regulators greater powers to fine, make it easier for companies with a "one-stop-shop" for operating across the whole of the EU, and create a new pan-European data regulator called the European Data Protection Board.

The new laws govern the processing and storage of EU citizens' data, both that given to and observed by companies about people, whether or not the company has operations in the EU. They state that data protection should be both by design and default in any operation.

GDPR will refine and enshrine the "right to be forgotten" laws as the "right to erasure", and give EU citizens the right to data portability, meaning they can take data from one organisation and give it to another. It will also bolster the requirement for explicit and informed consent before data is processed, and ensure that it can be withdrawn at any time.

To ensure companies comply, GDPR also gives data regulators the power to fine up to €20m or 4% of annual global turnover, which is several orders of magnitude larger than previous possible fines. Data breaches must be reported within 72 hours to a data regulator, and affected individuals must be notified unless the data stolen is unreadable, ie strongly encrypted.

Was this helpful?

Thank you for your feedback.

Facebook has faced repeated attacks from European regulators, particularly those in Germany, over issues ranging from perceived anti-competitive practices to alleged misuse of customer data.

Since March 2016, the company has been investigated by the German Federal Cartel Office over allegations it breaches data protection law in order to support an unfair monopoly. In an interim update in December last year, the office said that it objected to the way Facebook gains access to third-party data when an account is opened. This includes transferring information from its own WhatsApp and Instagram products – as well as how it tracks which sites its users access.

In October, Facebook was the target of an EU-wide investigation over a similar issue. The Article 29 Working Party (WP29), which oversees data regulation issues across the European Union, launched a taskforce to examine the sharing of user data between WhatsApp and Facebook, which it says does not have sufficient user consent. When the data sharing feature was first announced in 2016, the group warned Facebook that it may not be legal under European law, prompting the company to pause the data transfer until a resolution was found.

“Whilst the WP29 notes there is a balance to be struck between presenting the user with too much information and not enough, the initial screen made no mention at all of the key information users needed to make an informed choice, namely that clicking the agree button would result in their personal data being shared with the Facebook family of companies,” the group told WhatsApp in October.